First off, I wanna say I appreciate you taking the time to construct a detailed response.
I probably shouldn’t have waited 8 days to reply to you. Honestly, I didn’t think I’d get any replies as there’s a variety of important topics I’ve seen other users post about that had no replies. So, I need to check this more often instead of missing everything only to find out 8 days later, somebody responded.
Anyway, other than doing a lot of different things at once, Brave’s device fingerprinting resistance feature in ‘Settings’ does… I don’t know. I’m not sure what it does. Even the documentation is unclear, but I do know it’s currently not customizable (i.e., you cannot select what exactly you wish to spoof, in the case of my topic it would be WebGL specifically).
In the Device Fingerprinting in Settings, it makes sense to block any kind of 3rd Party Device Fingerprinting (same with cookies that are 3rd Party) for pretty basic privacy/security reasons. However, I personally have opted to just block 3rd Party Device Fingerprinting because of the simple fact that I cannot customize what I want Brave to spoof and what I want Brave to keep normal in Fingerprinting Protection.
The general concept I have is that I’m pretty aware that, as a Brave user, most Device Fingerprinting will tell domains I visit that I’m using Chrome with Ad/Tracker Blocking extensions that they cannot detect (they can only detect ‘Chrome PDF’ extension). It will also tell them in ‘User Agent’ that I’m using "KHTML, like Gecko’. That’s fine with me if they know that information. Other users may want higher security than me when it comes to that. In fact, I’d like to make sure the PDF extensions are the ONLY extensions they can see (if I add more extensions in the future).
But, they can also see that I have 12 CPU cores and can identify my GPU down to the literal specific manufacturer. This is a big problem because only two types of computers will have this kind of setup and the general population isn’t generally using machines like this. Workstation Computers and Gaming Computers are the only types of computers that have specifications like mine, which are visible via Device Fingerprinting.
They’re going to know I’m using one of those two types of machines, which very drastically narrows down the pool of possible people I could be. If I want to be anonymous, that will be difficult if they know exact GPU and its manufacturer. I mean it’s bad enough they can see how many CPU threads I’m running, but at least they don’t know the specific CPU model, only the number of physical/logical total threads.
Well, for one thing, my Computer is a workstation computer. Theoretically, I could run almost any game I wanted at 1080p max settings on my computer, too, but I don’t have this hardware for gaming purposes. It’s for work purposes. I work with a lot of graphic animation software, professional video editing software that benefits from having a strong GPU, and I also work with extremely CPU-intensive professional software in non-graphical applications.
I can most certainly be tracked if Device Fingerprinting is the method used. They won’t be able to track me through my IP Address because I use a VPN service and alternate between a lot of different North American servers. There also aren’t any IP leaks in WebRTC on my end, not only because of the VPN, but also because I have in Brave ‘Settings’ to use ‘Default Public Interface Only’, which reveals absolutely no private IP Addresses. Even if that Brave Setting for WebRTC failed me, the VPN is yet another layer of defense to stop WebRTC leaks.
This isn’t just a rambling diatribe, though. I’ve taken a lot of security measures that will make almost every form of tracking useless against me. But, the Device Fingerprinting is a HUGE SECURITY HOLE. It’s a huge PRIVACY hole. Are workstation and gaming computer users REALLY private on Brave if their exact GPUs are being leaked and they can’t customize Device Fingerprinting Protection at all? That depends on whether or not a potential bad actor is relying on Device Fingerprinting as their primary invasive method.
Who runs 12 CPU threaded hardware alongside a strong mid-range GPU? People on workstations or gamers. A gamer running my computer’s hardware would probably be doing so to maximize settings on every 1080p resolution game they play. Gamers wanting to run 1440p and 4k stuff would for sure be running something a lot stronger than my GPU, but the thing is when you work in the field I do, you need the same graphical processing power as a Gamer who is maxing out 1080p game settings. My only defense is a bad actor my think I’m a gamer. So, maybe they get the wrong idea, but that’s simply not good enough of a defense!
But again, this fatal WebGL leak would tell every website who runs a couple dozen lines of WebGL code the freaking manufacturer AND exact GPU. That’s dangerous for the privacy of users.
I feel like the Brave developers ought to be making this WebGL leaking thing a very big priority. Anybody running mid-range GPUs can be tracked and anybody running high-end GPUs can potentially be SPECIFICALLY identified. A bad actor can literally know who the person is if they’re running stronger GPUs than me because those are you 1440p max settings on everything gamers. That is not good at all for user privacy! They’re even more compromised than I am, potentially!